Skip to main content
Question

Binding to Active Directory using config profile, Sierra 10.12.5

  • July 7, 2017
  • 6 replies
  • 60 views
E
Forum|alt.badge.img+3

Hello all,

Having trouble binding a machine to AD,

I'm currently using a Binding Profile set up in config manager with the following fields configured

  1. General
  2. Directory
  3. Certificate (is this necessary?)

General - obvious info

Directory

Directory type
Active Directory

Server address
region.office.domain.com

username + pw of generic account used for domain joining (cofirmed this account works with a manual bing through directory utility)

Client ID office.domain.com

OU
Computers_Macs (corresponds with relevant OU in our AD)

Create mobile account
Require confirmation before creating mobile account
Use UNC path

Certificate
Printserver certificate from our CA (recent - previously I tried binding without a cert as I had read this shouldn't be a problem)

I get fails on all attempts, 'attempt to bind to the server 'region.office.domain.com returned an unspecified error'

Is there something obvious I am doing wrong?

Is there a better way to do this, via script or something? Im not sure how I would get around the machine name settings in that case

Please go easy on me!

PS: I am aware some are of the opinion that it is easier to bind as part of the initial build, but I've build about a hundred machines already without a bind, so redoing them isn't an option at the moment.

Any help appreciated

    6 replies

    K
    Forum|alt.badge.img+13
    • kerouak
    • Valued Contributor
    • July 7, 2017

    try this...

    MacModel="$(system_profiler SPHardwareDataType | grep 'Model Name')"

    computeridtmp="$(scutil --get ComputerName)"
    computerid="$(echo ${computeridtmp})"

    Standard parameters

    domain="DOMAIN NAME HERE"
    udn="CasperLDAP" password="$(echo SkBtZm5AdGlvbgo= | openssl enc -base64 -d)"

    Advanced options AD Plugin

    alldomains="enable"
    localhome="enable"
    protocol="smb"
    mobile="enable"
    mobileconfirm="disable"
    useuncpath="enable"
    user_shell="/bin/bash"
    preferred="-nopreferred"
    admingroups="domain admins,enterprise admins"
    packetsign="allow"
    packetencrypt="allow"
    passinterval="14" namespace="domain"

    Time Sync

    Remove Existing Directory Services Config

    if [ ! -d "/Library/Preferences/DirectoryService/ActiveDirectory" ]; then
    rm -R /Library/Preferences/DirectoryService/ActiveDirectory*
    fi

    if [ ! -d "/Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig" ]; then
    rm -R /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig*
    fi

    if [ ! -d "/Library/Preferences/DirectoryService/SearchNode" ]; then
    rm -R /Library/Preferences/DirectoryService/SearchNode*
    fi

    if [ ! -d "/Library/Preferences/DirectoryService/ContactsNode" ]; then
    rm -R /Library/Preferences/DirectoryService/ContactsNode*
    fi

    if [ ! -d "/Library/Preferences/edu.mit.Kerberos" ]; then
    rm -R /Library/Preferences/edu.mit.Kerberos
    fi

    if [ ! -d "/etc/krb5.keytab" ]; then
    rm -R /etc/krb5.keytab
    fi

    Clean up the DirectoryService configuration files

    rm -vfR "/Library/Preferences/DirectoryService/"
    rm -vfR "/Library/Preferences/DirectoryService/.    "

    Activate the AD plugin

    defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
    plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist

    Bind to AD

    dsconfigad -force -add $domain -computer $computerid -username $udn -password "$password" -ou "$ou"

    Configure advanced AD plugin options

    if [ "$admingroups" = "" ]; then dsconfigad -nogroups
    else dsconfigad -groups "$admingroups"
    fi

    dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol -mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath -shell $user_shell $preferred -packetsign $packetsign -packetencrypt $packetencrypt -passinterval $passinterval -namespace $namespace

    Add the OD & AD node to the search path

    if [ "$alldomains" = "enable" ]; then csp="/Active Directory/All Domains"
    else csp="/Active Directory/$domain"
    fi

    exit 0

    E
    Forum|alt.badge.img+3
    • EmDee
    • Author
    • New Contributor
    • July 7, 2017

    @kerouk, thanks so much for the reply!! but excuse my thickness.

    Should I separate that as 8 different scripts set to run, with triggers being the ending of the previously run script?

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • July 7, 2017

    Looks like @kerouak forgot to enclose his script in the script tags here. The large bolded text are all comments, like this

    # Add the OD & AD node to the search path

    They aren't separate scripts.

    That being said, have you explored using the built in JSS binding config? That still works interestingly enough.
    Scripting an AD bind is fine, sometimes even preferable since you have more granular control over it. We sometimes use scripts, but we also use the built in Directory Binding configuration to do this, which really does work well in most cases.
    I would at least explore this before resorting to using scripts.

    Though I'm not certain why the Config Profile route is giving you trouble, I wonder if the OU you're binding to is the issue. You noted the OU is Computers_Macs, but is there a full OU in there, something like: OU=Computers,OU=Computer_Macs,DC=domain,DC=org,DC=com ?
    I think it needs to be a full OU designation like that to work.

    One other suggestion is to try manually binding a Mac with Directory Utility using all the same settings in the GUI. If it works, then the same settings in a Binding config, or Configuration Profile, or even a script should work.

    D
    Forum|alt.badge.img+15
    • debrat
    • Contributor
    • July 8, 2017

    @EmDee Have you tried configuring directory binding in the JAMF settings > Computer management > Directory Bindings and then set a policy with the directory binding config you created?

    E
    Forum|alt.badge.img+3
    • EmDee
    • Author
    • New Contributor
    • July 10, 2017

    @mm2270 Thanks!

    Sadly I can't get the script to work for me when pushed from JAMF, after running sudo jamf -policy in order to fetch the script, I get a load of 'command not found' errors when it runs.

    Checking on the OU now

    @debrat

    Yup I've used the directory bindings feature (global system settings > Directory bindings) and then added that directory binding to a profile - but still no luck, and I can bind with the exact details that I enter, and I have no time mismatch or anything obvious that would prevent the bind from working, I get errors ranging from 'the authentication server could not be contacted' to an error 10001.

    Very frustrating

    Thanks for the help guys, I really appreciate it

    E
    Forum|alt.badge.img+3
    • EmDee
    • Author
    • New Contributor
    • July 10, 2017

    Hey, so turns out that the domain joiner account I was using with my directory binding profile was the problem - I'm not quite sure why, as I had used it to manually bind a machine to AD in order to test it, so I tried my own credentials in the binding profile (not ideal) and everything worked fine.

      Terms & ConditionsCookie settingsAccessibility statement